Dead code and non-existing classes mentioned in WMFSecurityPolicy.php
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Aklapper
	Feb 7 2025, 12:47 AM

Description

Does anything still call the methods

getSecurityProjectForTask
filter_policy_transactions
getSecurityFieldValue

in https://gitlab.wikimedia.org/repos/phabricator/extensions/-/blob/wmf/stable/src/policy/WMFSecurityPolicy.php ?

Plus

SecurityPolicyEventListener is mentioned twice in comments in that repo but no idea what it is/was.
https://gitlab.wikimedia.org/repos/phabricator/extensions/-/blob/wmf/stable/src/policy/README mentions SecurityPolicyListener and PhabricatorPolicyRuleTaskSubscribers but no idea what those are/were.

Related Objects

Mentioned In: T388590: Stop writing "std:maniphest:security_topic" in "maniphest_customfieldstorage" DB table
T386458: Disable personal Herald rule H334
T301082: stashbot comments leak security issue titles (when mentioning tasks the bot is subscribed on)
Mentioned Here: T386522: Deploy Phabricator/Phorge 2025-02-18
T239355: Deprecate phabricator's fixed_settings.yaml (in puppet) and just use phabricator's built in configuration tools

Event Timeline

Aklapper created this task.Feb 7 2025, 12:47 AM

Aklapper triaged this task as Low priority.

Pushed https://gitlab.wikimedia.org/repos/phabricator/extensions/-/commit/a94aa61703de35f8db39891a6e053c9984a4c4fe, let's see if there's anything in the logs over the next weeks.

Aklapper mentioned this in T301082: stashbot comments leak security issue titles (when mentioning tasks the bot is subscribed on).Feb 14 2025, 11:07 AM

Aklapper mentioned this in T386458: Disable personal Herald rule H334.Feb 14 2025, 12:13 PM

Aklapper added a project: Technical-Debt.Feb 14 2025, 12:27 PM

Alright, digged deeper into this pile of Technical-Debt after finding T386458:

phabricator_maniphest.maniphest_customfieldstringindex DB table shows that T167890 on 2017-06-14 was the last task to create an entry for our security-topic custom field [1].
phabricator_maniphest.maniphest_customfieldstorage DB table shows that we still write a std:maniphest:security_topic entry for every new task up: [2]. Same can be seen by querying via https://phabricator.wikimedia.org/conduit/method/maniphest.query/ showing that entry for every task.
security_topic is defined in https://gitlab.wikimedia.org/repos/phabricator/deployment/-/blob/wmf/stable/scap/templates/phabricator/conf/local/local.json.j2 with only three values ("default", "security-bug", "sensitive") but looking at [3] we see that the fourth value ops-access-request is still used. See also T239355: Deprecate phabricator's fixed_settings.yaml (in puppet) and just use phabricator's built in configuration tools.
- e.g. T386370 is an ops-access-request as form 117 sets that value.
  - To check which forms set a certain default value for a certain field, use this SQL query: [4]
- Code wise, ops-access-request is referenced in a single place: getSecurityProjectForTask() (which is likely dead code, see task description).

While I think that we can remove the dead code, I wonder if we could also stop writing these unread custom values, though simple removal of the custom field will create breakage without fixing forms like 117 (or Herald rules like T386458 might read that field, see also https://we.phorge.it/T15885).

[1] SELECT CONCAT("https://phabricator.wikimedia.org/T",t.id), csi.indexValue FROM phabricator_maniphest.maniphest_customfieldstringindex csi INNER JOIN phabricator_maniphest.maniphest_task t ON csi.objectPHID = t.phid WHERE csi.indexKey = "456XCt.DWg.X" ORDER BY t.id;
[2] SELECT CONCAT("https://phabricator.wikimedia.org/T",t.id), cfs.fieldValue FROM phabricator_maniphest.maniphest_customfieldstorage cfs INNER JOIN phabricator_maniphest.maniphest_task t ON cfs.objectPHID = t.phid WHERE cfs.fieldIndex = "456XCt.DWg.X" ORDER BY t.id;
[3] SELECT CONCAT("https://phabricator.wikimedia.org/T",t.id), csi.indexValue FROM phabricator_maniphest.maniphest_customfieldstringindex csi INNER JOIN phabricator_maniphest.maniphest_task t ON csi.objectPHID = t.phid WHERE csi.indexKey = "456XCt.DWg.X" AND indexValue != "default" ORDER BY t.id;
[4] Example: SELECT CONCAT("https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/defaults/",id,"/") AS form FROM phabricator_search.search_editengineconfiguration WHERE engineKey = "maniphest.task" AND properties LIKE "%\"std:maniphest:security_topic\":\"ops-access-request\"%";

[ak@local wmfphab]$ grep -r security_topic .
./deployment/scap/templates/phabricator/conf/local/local.json.j2: "security_topic": {
./deployment/libext/misc/src/policy/WMFSecurityPolicy.php:        if ($field_key == 'std:maniphest:security_topic') {
./deployment/libext/misc/src/policy/WMFLockTaskController.php:    ->setMetadataValue('customfield:key', 'std:maniphest:security_topic')
./deployment/tools/wmfphablib/phabapi.py:                         "std:maniphest:security_topic": security})
./deployment/tools/bugzilla_create.py:                            "std:maniphest:security_topic":"%s" % (buginfo["secstate"],)})